Authoring for Snowflake Remote Engines

SteveatSafe
SteveatSafe
  • Updated

Introduction

Authoring for Snowflake Remote Engines requires a little more preparation than running workspaces on FME Flow.  As the Snowflake Remote Engines Services are located in the Snowflake Cloud, which is inherently secure, certain workflows require configuring egress rules and adjusting Database Connections to interact with Snowflake Databases.  It will also be necessary to grant the App User access to the Snowflake Databases in your Snowflake Account for the Remote Engines to access them.

This article will walk through the key steps to prepare your Snowflake Account so that workspaces can run on Remote Engines and access your Snowflake data, as well as any optional data stored in external resources such as Cloud Storage or Web Services.

 

Prerequisites 

 

Step-by-step Instructions

Part 1: Accessing Snowflake Data with the FME Remote Engines Service 

For the FME Remote Engines Service App to access any data in the Snowflake Databases, it is necessary to grant the appropriate permissions to the Application.  This may include:

  • Databases
  • Schemas
  • Tables/Views
  • Warehouses
  • Stages
  • Roles

Examples of some grants are as follows.

1. GRANT ALL ON DATABASE SUPPORT_DB TO APPLICATION FME_REMOTE_ENGINES_SERVICE_TRIAL;

This grant allows the App to access the database, SUPPORT_DB.

2. GRANT ALL ON SCHEMA SUPPORT_DB.SUPPORT TO APPLICATION FME_REMOTE_ENGINES_SERVICE_TRIAL;

This grant allows the App to access the SUPPORT schema in the SUPPORT_DB database.

3. GRANT ALL ON ALL TABLES IN SCHEMA SUPPORT_DB.SUPPORT TO APPLICATION FME_REMOTE_ENGINES_SERVICE_TRIAL;

This grant allows the App to access the tables in the SUPPORT schema within the SUPPORT_DB database.

4. GRANT USAGE ON WAREHOUSE SUPPORT_WH TO APPLICATION FME_REMOTE_ENGINES_SERVICE_TRIAL;

This grant allows the App to make use of the compute warehouse, SUPPORT_WH

5. SHOW GRANTS TO APPLICATION FME_REMOTE_ENGINES_SERVICE_TRIAL;

This statement allows you to review the grants that have been applied to the App.

 

Part 2: Authoring Workspaces for Remote Engines Service

As with all Workspaces that run in FME, it is necessary to develop the workspace with FME Form. Once you have tested the Snowflake Database Connection in FME Form and FME Flow, you are now ready to publish the workspace using the Snowpark Container Services authentication type. It will be necessary to ensure that, before publishing to FME Flow, for any workspace you wish to run in the FME Remote Engines Service in Snowflake, you switch the database connection to the Snowpark Container Services authentication type.  This will be necessary for any Snowflake readers, Snowflake writers, SQLCreator, or SQLExecuter using Snowflake, FeatureReader, and FeatureWriters transformers that are using Snowflake.  

Note that the FME Remote Engines Service does not, by default, have access to external systems and services. To grant access to external systems and services, see Part 4.

 

Publishing and Running the Workspace

1. Publish the Workspace to the FME Flow environment as usual, ensuring the correct database connection is selected and uploaded during publishing. Once the workspace has been published, it can be tested by running the workspace.

2. Ensure the correct Queue is assigned when submitting the job. When the job is submitted, the Web UI confirms on the Completed Jobs page that it has been submitted to the FME Remote Engines Service.

You can easily access the Remote Engines Service Web UI by visiting the Completed Jobs page, locating the job, and then clicking on the URL.  This will take you to the login page for the FME Remote Engines Service Web UI, where you can review the job log. 

Reviewing the job log for the remote engines is covered in Part 6 of Getting Started with Remote Engines Service for Snowflake.

Confirm the workspace results by opening the job log and verifying that the correct database connection type was used. Example: 

Snowflake Reader: Creating connection using connection string 'jdbc:snowflake://mycompany-az-east.east-us-2.azure.snowflakecomputing.com' and properties '{schema="SUPPORT", tracing=OFF, application=SafeSoftwareFME, GEOGRAPHY_OUTPUT_FORMAT=WKB, warehouse="SUPPORT_WH", authenticator=oauth, account=MYCOMPANY_AZ_EAST, db="SUPPORT_DB", GEOMETRY_OUTPUT_FORMAT=EWKB, token=************}'

In the connection string above, you’ll see the following connection parameters: authenticator=oauth and token.  There will be no user parameter present.  This confirms that the workspace is connected to the database within the Application in Snowpark.

3. A successful connection will confirm that the FME Remote Engines Service has been able to connect to the database using the provided connection parameters.

Jobs will have different permission requirements; some will be read-only, while others will have drop and create permissions on tables. Regardless of the workspaces, the Application must be granted the necessary permissions to execute the jobs.  Review Part 1 for more information.

 

Considerations  

1. Creating a database connection for use in Snowpark

  • When creating a database connection for use with the FME Remote Engines Service, ensure the Authentication Type is set to Snowpark Container Services. Also, ensure that the Warehouse, Database, and Schema are all correctly set.

2. Do not set the Role in the database connection.

  • The Snowpark Database Connection will rely on grants given directly to the FME Remote Engine Service Application, as explained in Part 1.
  • The Container does not use a username or password to access the databases.
  • Running a workspace with the FME Remote Engines Service that uses a Snowflake Database Connection with an Authentication Type other than Snowpark Container Services will fail and is not supported.
  • In FME Form, you can swap a Database Connection by right-clicking on it and replacing it with the Database Connection that contains the Snowpark Container Services authentication type. 

3. When authoring a workspace, consider that your client system will use a different database connection than when it is published to the FME Flow environment, where it will run on the FME Remote Engines Service within Snowpark. Permissions and privileges can vary; work closely with the Snowflake Administrator and DBA.

 

Part 3: Snowflake Database Connections with Remote Engines

When creating a database connection for the FME Remote Engines Service in Snowflake, ensure you set the Authentication type to Snowpark Container Services, as shown below. This connection type is only compatible with the FME Remote Engines Service App in Snowflake.  

Leave the Role parameter empty.

 

Part 4: Modifying the Egress Rules

When the FME Remote Engines Service App launches, one Egress Access Integration is created. The integration provides access to the FME Licensing service at fme-licensing.safe.com:443 and a Simple Notification Service (SNS) on AWS, both of which are related to licensing. These two endpoints are the only external access points the App has at launch.  

If other external endpoints are required, for example, another public API is needed to pull data from, it will be necessary to create a new network rule, a new external access integration, grant this access to the FME Remote Engines Service App, and call a procedure to enable the external access integration.

 

1. From within Snowsight, create a new network rule (run as ACCOUNTADMIN)

CREATE NETWORK RULE IF NOT EXISTS consumer_network_rule MODE = EGRESS TYPE = HOST_PORT VALUE_LIST = ('0.0.0.0:443'); 

Replace the value list contents with a list of DNS names/ports to authorize. These can be IP addresses or DNS names.

For example:  ('10.10.10.1:443', 'arcgis.com:443')

For more information on creating network rules and examples of value lists, please refer to this link.

 

2. Next, create the External Access Integration (run as ACCOUNTADMIN)

CREATE EXTERNAL ACCESS INTEGRATION IF NOT EXISTS consumer_external_access ALLOWED_NETWORK_RULES = ('consumer_network_rule') ENABLED = TRUE;

GRANT USAGE ON integration consumer_external_access TO APPLICATION <APP_NAME>;

Where <APP_NAME> will be FME_REMOTE_ENGINES_SERVICE_TRIAL (unless a different name was entered in Part 1, step 7 of Getting Started with Remote Engines Service for Snowflake).

 

3. Next, enable the External Integration

CALL <APP_NAME>.APP_PUBLIC.SETUP_EXTERNAL_INTEGRATION('consumer_external_access');

The External Integration can be altered in the future if required.  More information can be found here.

 

Contact Us and Provide Feedback

As this is a new offering from Safe Software, please don't hesitate to contact our support team or your Safe Software Account Executive.

This article may contain variations in the included screenshots, or the Snowflake Web UI may look different. This may be related to changes and updates to the Snowflake environment. We intend to update this article as needed and welcome any comments.

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.